#
# This role sets up the various packages and scripts needed for a batcave
#

#
# make directory for nfs mounts to live in
#

- name: create /srv/web/pub for nfs mounts
  file: dest=/srv/web/pub state=directory mode=755
  tags:
  - batcave
  - config

- name: install packages needed
  yum: pkg={{ item }} state=present
  with_items:
  - srm                       # secure rm to delete sensitive files.
  - ansible                   # This is our ansible master, needs ansible installed.
  - ansible-openstack-modules # Needed to manage cloud with ansible
  - yum-metadata-parser       # Needed for rhn sync
  - yum-rhn-plugin            # Needed for rhn sync
  - createrepo_c              # Needed for rhn sync
  - python-sqlalchemy         # Needed for repo2json
  - pyliblzma                 # Needed for repo2json
  - ansible_utils             # Needed for rbac-playbook
  - python-GeoIP              # Needed for geoip scripts
  - python-fedmsg-fasclient   # fasClient fedmsg job
  - bind                      # named-checkzone for dns repo
  - emacs-nox                 # because smooge is weak
  - rpm-sign                  # for the sign-and-import playbook
  - createrepo                # for the sign-and-import playbook
  - unzip                     # general useful util
  - fpaste                    # general useful util
  - lftp                      # needed to easily pull in builds from koji for internal repos
  - git-email                 # needed to send patches for review to the mailing list
  tags:
  - batcave
  - config

- name: setup ssh_known_hosts file
  copy: src=ssh_known_hosts dest=/etc/ssh/ssh_known_hosts mode=0644
  tags:
  - batcave
  - config
  - fingerprints

- name: Set up RHOS repo for cloud client stuff
  copy: src=rhel7-rhos.repo dest=/etc/yum.repos.d/rhel7-rhos.repo
  tags:
  - cloud
  - batcave
  - config

- name: install cloud client packages
  yum: pkg={{ item }} state=present
  with_items:
  - python-novaclient
  - python-neutronclient
  - python-oslo-config
  - python-six
  - python-keystoneclient
  - python-glanceclient
  tags:
  - cloud
  - batcave
  - config


# 
# This is our ansible master, setup ansible
#

- name: setup roots bashrc to note about agents
  copy: src=root_bashrc dest=/root/.bashrc
  tags:
  - batcave
  - config

- name: run daily logview report for ansible actions. 
  copy: src=logview.cron dest=/etc/cron.daily/logview.cron mode=0755
  tags:
  - batcave
  - config
 
- name: setup cron for daily ticketkey reollover
  copy: src=ticketkey.cron dest=/etc/cron.daily/ticketkey.cron mode=0755
  tags:
  - batcave
  - config
#
# Set selinux booleans we need
#

- name: set selinux booleans
  seboolean: name={{ item }} persistent=yes state=yes
  with_items:
  - httpd_can_network_connect
  - httpd_use_nfs
  - httpd_can_network_relay
  tags:
  - batcave
  - config

#
# Scripts
#

#
# Hook to notify on git commits used in git repos
#

- name: setup git-notifier script
  copy: src=git-notifier dest=/usr/local/bin/git-notifier mode=0755
  tags:
  - batcave
  - config


# Hook to republish our bare repos for web viewing.
- name: setup syncgittree.sh script
  copy: src=syncgittree.sh dest=/usr/local/bin/syncgittree.sh mode=0755
  tags:
  - batcave
  - config


#
# Script used to gather encrypted security questions from fas
#

- name: setup /usr/local/bin/retrieve-security-question.py
  copy: src=retrieve-security-question.py dest=/usr/local/bin/retrieve-security-question.py mode=0755
  tags:
  - batcave
  - config

#
# Script to sync ssh keys from fas to openshift instances.
#

- name: setup python module for openshift sync script
  copy: src=oshift_mod.py dest=/usr/local/bin/oshift_mod.py mode=0644
  tags:
  - batcave
  - config

- name: setup setup sync-openshift-keys config
  template: src=sync-openshift-keys.conf.j2 dest=/etc/sync-openshift-keys.conf mode=0600
  tags:
  - batcave
  - config

- name: setup setup sync-openshift-keys script
  copy: src=sync-openshift-keys.py dest=/usr/local/bin/sync-openshift-keys.py mode=0755
  tags:
  - batcave
  - config

# The zodbot server must allow TCP on whatever port zodbot is listening on
# for this to work (currently TCP port 5050).
# Once that is done, you can symlink /usr/local/bin/zodbot-announce-commits.py
# to the 'hooks' directory of the bare repo you're wishing to receive commits
# for, then add a hooks.zodbotchannel to the repo's config file.
# Lastly, add the following lines to your 'update' hook:
# reposource=$(git config hooks.reposource)
# zodbot_channel=$(git config hooks.zodbotchannel)
# python $reposource/hooks/zodbot-announce-commits.py $reposource $zodbot_channel $oldrev $newrev ${1#refs/heads/}

- name: install zodbot-announce-commits script
  copy: src=zodbot-announce-commits.py dest=/usr/local/bin/zodbot-announce-commits.py mode=0755
  tags:
  - batcave
  - config

#
# This is another script to announce commits, this time to the fedmsg bus
#

- name: install fedmsg-announce-commits script
  copy: src=fedmsg-announce-commits.py dest=/usr/local/bin/fedmsg-announce-commits.py mode=0755
  tags:
  - batcave
  - config

#
# This script checks all the virthosts and logs what guests they are running. 
#

- name: install vmdiff.sh cron
  copy: src=vmdiff.sh dest=/etc/cron.hourly/vmdiff.sh mode=0755
  tags:
  - batcave
  - config

#
# Setup public db copy script.
#

- name: setup public db copy script
  copy: src=public-db-copy.cron dest=/etc/cron.daily/public-db-copy.cron mode=0755
  tags:
  - batcave
  - config

#
# Setup job that runs a check/diff ansible run over all playbooks each night.
#

- name: setup checkdiff ansible job
  copy: src=ansible-playbook-check-diff.cron dest=/etc/cron.daily/ansible-playbook-check-diff.cron mode=0755
  tags:
  - batcave
  - config

#
# sync-rhn cron job
#
- name: setup sync-rhn cron
  copy: src=sync-rhn dest=/etc/cron.d/sync-rhn mode=0644
  tags:
  - batcave
  - config

#
# Setup web server config
#
- name: install web server config for batcave (mimetypes)
  copy: src=mime-types.conf dest=/etc/httpd/conf.d/mime-types.conf mode=0644
  tags:
  - batcave
  - config
  - httpd

- name: install web server config for batcave (access rules)
  copy: src=allows dest=/etc/httpd/conf.d/allows mode=0644
  tags:
  - batcave
  - config
  - httpd

- name: install web server config for batcave (main config)
  copy: src=infrastructure.fedoraproject.org.conf dest=/etc/httpd/conf.d/infrastructure.fedoraproject.org.conf mode=0644
  tags:
  - batcave
  - config
  - httpd

#
# this cron job creates a json file from the rhel repos
#

- name: create repo2json directory
  file: dest=/srv/web/repo/json mode=0755 state=directory owner=apache group=apache
  tags:
  - batcave
  - config

- name: create repo2json cron job
  copy: src=repo2json.cron dest=/etc/cron.d/repo2json.cron mode=0644
  tags:
  - batcave
  - config

#
# ansible utils includes our rbac-playbook
#

- name: install ansible_utils config
  copy: src={{ private }}/files/rbac/rbac.yaml dest=/etc/ansible_utils/rbac.yaml mode=0500
  tags:
  - rbac
  - batcave
  - config

#
# Setup geoip scripts. 
# Other machines pull current geoip data from here. 
#

- name: Install geoip download databases script
  copy: src=geoip-download-databases dest=/usr/local/bin/geoip-download-databases mode=0755
  tags:
  - batcave
  - config

- name: Install geoip download cron
  copy: src=geoip-download-databases.cron dest=/etc/cron.d/geoip-download-databases.cron mode=0644
  tags:
  - batcave
  - config

#
# fasClient fedmsg job
#

- name: Install config for fedmsg tigger for fasClient runs
  copy: src=fedmsg-fasclient.py dest=/etc/fedmsg.d/fasclient.py mode=0644
  tags:
  - batcave
  - config

#
# set selinux context for /srv/web/infra
#

- name: check the selinux context of webdir
  command: matchpathcon /srv/web
  register: webdir
  always_run: yes
  changed_when: "1 != 1"
  tags:
  - config
  - batcave
  - selinux
  - httpd
  - httpd/website

- name: /srv/web file contexts
  command: semanage fcontext -a -t httpd_sys_content_t "/srv/web(/.*)?"
  when: webdir.stdout.find('httpd_sys_content_t') == -1
  tags:
  - config
  - batcave
  - selinux
  - httpd
  - httpd/website

#
# set selinux context for public git repos
#

- name: check the selinux context of ansible
  command: matchpathcon /git/ansible
  register: webdir
  always_run: yes
  changed_when: "1 != 1"
  tags:
  - config
  - batcave
  - selinux
  - httpd
  - httpd/website

- name: /git/ansible file contexts
  command: semanage fcontext -a -t git_content_t "/git/ansible(/.*)?"
  when: webdir.stdout.find('git_content_t') == -1
  tags:
  - config
  - batcave
  - selinux
  - httpd
  - httpd/website

- name: check the selinux context of badges
  command: matchpathcon /git/badges
  register: webdir
  always_run: yes
  changed_when: "1 != 1"
  tags:
  - config
  - batcave
  - selinux
  - httpd
  - httpd/website

- name: /git/badges file contexts
  command: semanage fcontext -a -t git_content_t "/git/badges(/.*)?"
  when: webdir.stdout.find('git_content_t') == -1
  tags:
  - config
  - batcave
  - selinux
  - httpd
  - httpd/website

- name: check the selinux context of dns
  command: matchpathcon /git/dns
  register: webdir
  always_run: yes
  changed_when: "1 != 1"
  tags:
  - config
  - batcave
  - selinux
  - httpd
  - httpd/website

- name: /git/dns file contexts
  command: semanage fcontext -a -t git_content_t "/git/dns(/.*)?"
  when: webdir.stdout.find('git_content_t') == -1
  tags:
  - config
  - batcave
  - selinux
  - httpd
  - httpd/website

- name: check the selinux context of infra-docs
  command: matchpathcon /git/infra-docs
  register: webdir
  always_run: yes
  changed_when: "1 != 1"
  tags:
  - config
  - batcave
  - selinux
  - httpd
  - httpd/website

- name: /git/infra-docs file contexts
  command: semanage fcontext -a -t git_content_t "/git/infra-docs(/.*)?"
  when: webdir.stdout.find('git_content_t') == -1
  tags:
  - config
  - batcave
  - selinux
  - httpd
  - httpd/website
